databend icon indicating copy to clipboard operation
databend copied to clipboard
verified publisher icon datafuselabs

Feature: Support Key Pair authentication and key pair rotation

Open ZhiHanZ opened this issue 3 years ago • 2 comments

Summary we could use key pair authentication as an alternative approach to basic authentication(user/password)

Process:

  1. user generate their PEM private-public key pair with openssl or generate the keypair from cloud service such as KMS
  2. asign public key to a databend user
  3. end user send their private key to databend kernel and authenticated by their public key (authentication should be in memory)

To support uninterrupted key rotation, it would be nice to support multiple public keys for a single user. like RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2, it would be nice to set some quotas in kernel configuration and add necessary restrictions

example SQL:

alter user zhihanz set rsa_public_key=‘ABC123...’;
alter user zhihanz unset rsa_public_key;
alter user zhihanz set rsa_public_key_2='alternative keypair '

ref: https://docs.snowflake.com/en/user-guide/key-pair-auth.html

ZhiHanZ avatar Oct 17 '22 09:10 ZhiHanZ

I think the priority of this issue is suitable for a good first issue? cc @flaneur2020

ZhiHanZ avatar Oct 17 '22 09:10 ZhiHanZ

  1. end user send their private key to databend kernel and authenticated by their public key

I thought the private key should never be sent out.

Some client logic is needed here:

  • Databend encrypts a message with the user's public key to build a challenge
  • The client uses its private key to decrypt the message and resolve the challenge

Xuanwo avatar Oct 18 '22 00:10 Xuanwo